Smartphone security: Keep your handset safe
- — 12 January, 2011 02:07
Your Second Line of Defense
Remote wipe, plus the aforementioned password protection, is the bare minimum that most IT departments will require, although the specific steps you'll need to take very much depend on the level of security at your company.
Remote wipe means that if your phone is lost or stolen, you can remotely clear all of your data--including e-mail, contacts, texts, and documents--off of the handset, thus keeping that information out of the wrong hands.
You or your IT department can set this feature up for any of the major OSs, as well as use Microsoft Exchange to wipe the device (provided that you have an Exchange account). Those people without Exchange accounts or IT departments have other, simpler options.
- Android, BlackBerry, and Windows Phone 7: If your OS is among one of these, you're in luck, as you can find many fantastic third-party applications that allow you to remotely wipe your device. Lookout Mobile Security is just one example that not only enables you to wipe your device via the Web but also lets you track a lost device through GPS, back up your data over the air, and even scan for viruses. Its basic version is free, but to enable advanced features such as remote wipe you will have to pay for a Premium account ($3 a month or $30 a year). You'll encounter big players in the security-app game, too; for instance, NotifyMDM, Symantec, and Zenprise sell multiple-mobile-device management systems to companies.
- iOS: iPhone remote wipe is a bit trickier. If you have iOS 4.2 or higher, you can simply download the Find My Phone app from the App Store, and enable it in MobileMe in the Settings app. If you lose your phone, you can log in using MobileMe via Apple's Website to track it, display a message, or wipe it. If you have an older version of iOS, though, you'll need a paid MobileMe account, which costs a steep $99 a year. Plus, you'll have to enable the function by going to Settings, choosing Mail, Contacts, Calendars, and clicking Fetch New Data then Enable Push. Afterward, return to the 'Mail, Contacts, Calendar' screen and select your MobileMe account.
Note that all of the apps and services mentioned in this section, as well as other tools (such as Mobile Defense and Where's My Droid?), can help you find your phone via GPS. These apps have drawn attention lately, as their usage has led to the arrest of several thieves and carjackers.
Next page: How to keep malware out, plus which phone OS is the safest
Trojan Horses, Malware, and Viruses
"As there gets to be hundreds of millions of smartphones out there, that becomes a bigger target for attackers," says Ahmed Datoo, chief marketing officer for Zenprise. His firm creates software that enables a large company's IT department to scan all devices in the system at once, remotely, to make sure no malware has snuck in.
"We have seen a rise in malware across the board for all platforms. Lately it's been focused on the newer devices with greater adoption: iOS, Android," he says.
And if you're thinking that kind of thing results only from installing pirated software from sketchy Websites, be forewarned that attacks can also occur in official app stores.
What should you do? Consumers should turn to third-party apps once more. If you're on Android, BlackBerry, or Windows Phone 7, again consider Lookout: It scans your phone for malware and spyware, even examining any application you download. That said, it could still miss a nasty SMS or MMS script, so think twice before you open an MMS item from someone you don't know. Symantec, which makes business-level products for virtually every mobile platform, also creates consumer-level tools for Android and Windows Phone 7; more software like Mobile Defense is emerging, too.
iOS doesn't really have antivirus apps available on a consumer level, relying instead on Apple's stringent App Store policies to keep out malware. Considering the scale and speed at which apps are submitted and approved, though, things are bound to slip through the cracks. The potential for human error is just too great to deny. On iOS you can use the Trend Smart Surfing app, which blocks access to Websites known to contain malware or potential phishing attacks. It would be nice to see more protection for various inboxes, though.
Third-Party Apps That Share Too Much
When you install a third-party app, you grant it certain privileges. Those privileges may include access to your physical location, contact information (yours and that of others), or other personal data. Most of the time an app will be fine, but how do you know what its makers are doing with those privileges and your information? The short answer: You don't.
Most phone OSs try to handle this problem with a centralized application-store screening process, attempting to weed out any bad eggs before they get in. Again, however, undesirable things slip through.
Android takes a different approach, having looser central control but providing the end user with more information. Before you install an application on Android, the app must ask you for specific permissions. Don't simply ignore such messages. If you're just trying to install a simple wallpaper, ask yourself why it needs access to your contacts and your location. Be judicious when granting permissions.
Additionally, with all platforms, always pay close attention to app ratings and read the comments to see what other users have said. If an app has merely 50 downloads and a two-star rating, do a little digging and find out why. The best protection here really is common sense. Failing that, Lookout Premium can provide you with an overview of the permissions you have granted.
Even major companies including Facebook and Pandora have been sharing (read: selling) more user information than was commonly thought. Your options are pretty much limited to avoiding these applications or starting a letter-writing campaign.
Which OS Is the Most Secure?
There is no easy answer to this question. All of the major smartphone OSs have made significant strides in the last year.
"From an enterprise control and security standpoint, BlackBerry is still the gold standard," says Khoi Nguyen, director of product management for mobile security at Symantec. RIM's phones also feature advanced, devicewide encryption--including for the SD Card--that's cleared for usage at some of the highest levels of government.
Yet in the last six months Apple and Android have expanded support for security management, and more companies appear comfortable using them, Nguyen adds. Also, to enable further security, device manufacturers such as HTC and Motorola have added proprietary software on top of the various OSs their phones support.
With Windows Phone 7, Microsoft is following a similar strategy to that of Apple and Google in that it's starting out by keeping its mobile OS consumer-focused. The company is likely to add more business-friendly security in days to come, however.
One of the biggest holes in Android's security that's slowing its mass adoption in the business world is its lack of encryption, especially on the SD Card. That's a significant risk for business users, who save their e-mail attachments on unencrypted SD Cards.
BlackBerry phones offer the option to encrypt SD Cards, whereas iOS and Windows Phone 7 do not currently support removable storage. That said, many companies are willing to accept phones with unencrypted SD Cards, as long as remote wiping is set up. This arrangement will be fine for most consumers, too. It's important to note, though, that in order to wipe a phone remotely, it must be powered on and have a data connection. So if someone pulls the battery out of your Droid before you wipe it, you cannot erase your SD Card.
Smartphone Security For the IT Crowd
The enterprise ecosystem has changed dramatically in the past year. Each end user wants to stick with the device they prefer personally, and they want to use it for work. Denying them that freedom doesn't always go over so well.
"The days of the IT department trying to regulate what devices users can and can't have--that battle is lost. So they should focus on their real mission, which is providing security to their users," says Datoo of Zenprise.
With so many platforms and new devices flooding the market, how can the IT pro at a small company possibly develop software to track them all, and keep them virus-free? More companies are turning that job over to software developers such as NotifyMDM, Symantec, and Zenprise, which enable management of a company's devices from a single interface.
Third-party software allows an IT admin to search all devices at the same time--whether for 5 or 57,000 users--while still accommodating the latest, most cutting-edge phones.
It's a brave, new, constantly evolving world out there. While we have yet to see an attack on smartphones that rivals the scale of PC attacks, attempts are becoming more and more frequent, and they will continue to proliferate. Critical thinking and your browser's search button may always be your best line of defense.